cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1660
Views
5
Helpful
8
Replies

SNMP V3 and CiscoWorks

rolf.fischer_2
Level 1
Level 1

Hi,

today I configered a router (1760) for snmp v3:

snmp-server view ReadView internet included

snmp-server group OurGroup v3 auth read ReadView

snmp-server user xxxx OurGroup v3 auth md5 yyyy

Trying out with net-snmp works fine:

snmpwalk -v3 -u xxxx -l authNoPriv -a MD5 -A yyyy 192.168.1.1 system

...

system.sysORTable.sysOREntry.sysORUpTime.1 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.2 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.3 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.4 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.5 = Timeticks: (0) 0:00:00.00

system.sysORTable.sysOREntry.sysORUpTime.6 = Timeticks: (0) 0:00:00.00

...

Now I want to manage the router via our CiscoWorks and configuered:

Campus Manager Administration - Admin - Device Discovery - SNMP Settings

->SNMPV3

Target: 192.168.1.*

Username: xxxx

Password: yyyy

Authentication: MD5

and started discovery with result "device unreachable".

Sniffering the packets I found out, that the CW sets "AuthParam" with value NULL, while net-snmp sets some (crypted) data.

The router doesn't responde to CW.

Looks to me like that's the problem.

We're using LMS 2.6.1

Any ideas how to make it work?

Thanks in advance,

kind regards

Rolf Fischer

8 Replies 8

Joe Clarke
Cisco Employee
Cisco Employee

If the device is already in DCR, check the v3 credentials under Common Services > Device and Credentials > Device Management. The first packet will go out incomplete so that Discovery can discover the SNMP engine ID, engine time, and boots. Once these values are sent from the device, the actual request packet should go out with valid AuthData, engine time, and boot count.

Hm, I don't know who rated this post - definitely it wasn't me ?!

The router is in DCR with correct credentials.

We're still having the same problem.

Could you post a redacted snippet of your snmpv3 view set from your router so we can see what you've allowed it to access ?

I'm not sure if I understand the question.

Thought with

"snmp-server view ReadViewITZ internet included"

I allow the whole internet-tree (1.3.6.1...)

Please correct me if I'm wrong.

Regarding my posted picture:

The traced packet from Net-SNMP was full encrypted, this was a first try with authPriv.

I changed that to authNoPriv meanwhile.

Thats part of what I was looking for, redacted meaning remove or obscure the sensitive information from your configs...

Your device configuration should look something like this for querying remotel:

snmp-server group remotegroup v3 priv

snmp-server user remote PrivUser remotePrivGroup remote #.#.#.# v3 auth md5

password1 priv des56 password2

Right, I posted this part of my config yesterday:

snmp-server view ReadView internet included

snmp-server group OurGroup v3 auth read ReadView

snmp-server user CiscoWorks OurGroup v3 auth md5 yyyy

Doing a Device Credentials Verification Job a couple of minutes ago I got this message:

Setting v3 Param mode to authNoPriv. querying sysLocation.obtained exception while g/setting sysLocation com.cisco.nm.lib.snmp.futureapi.SnmpReqTimeoutException: SnmpRequestTimeout on 192.168.1.1 while performing SnmpGet at index = -1. Wrong Credentials.

That's strange because I re-checked the parameters and they are correct.

The CiscoWorks query should cause a report packet back from the device? What is the next packet to come from the device?

The problem is fixed now - I have to say sorry.

Between the router and the CW-server we have a cryptor which needs to have a bypass for our management-traffic.

This bypass was configered incompletely: The way back to the CW-server was missing.

We added that rule and now it works.

Embarrassing...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: